Safe Harbor Destroyed: US Must Fix it, And Soon

European privacy standards are often regarded as much more stringent than those found in other parts of the world. Other developed nations- the US included- are lagging behind when protecting its netizens’ privacy. Through standards and laws over the years the European Union has provided many protections that netizens from other countries haven’t even thought to ask for. Some of the safeguards enable an individual to access information held about them, be given notice about how their data is collected and used, and have the opportunity to opt out of things like using the website’s cookies. None of which are guaranteed rights in the US.

The European Union understands that these protections are not provided in every country. However, given the nature of the internet they wanted to ensure the security of its citizens’ data regardless of the country where the physical data is being held. This desire gave birth to the safe harbor agreement between the EU and the US. This allowed US companies to freely transfer data between the US and Europe given that they adhere to the minimum guidelines set forth by the EU Data Protection Directive.

Since the start of the safe harbor agreement in July of 2000 companies have been required to self certify- or hire a third party to certify- that they are adhering to the standards.

This is a win-win. European citizens can feel secure that their data is as protected by American companies as it is in their own country, US companies are not prevented from trans-Atlantic dealings, and the internet remains open across borders.

There is a disturbance in the force.

Safe Harbor Invalidated

Max Schrems is an Austrian privacy activist who has been filing lawsuits for several years. Bolstered by the Snowden revelations in 2013, his claims of privacy violations by the US has gained more and more traction. Schrems argued to several different national data protection agencies that companies like Facebook cannot guarantee the standards promised in safe harbor given the nature of the NSA and its programs like PRISM and XKEYSCORE.

Schrems initially brought a case against Facebook in regards to its data center in Ireland. The court ruled that the exportation of data was protected by safe harbor. Unsatisfied with the result Schrems appealed, which eventually landed the case in the European Court of Justice (CJEU). A court whose ruling cannot be appealed.

After reviewing the NSA programs the court has ruled the safe harbor agreement invalid.

Part of the landmark ruling said:

…the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities.

The full implications of the ruling aren’t clear and any predictions are hard to call because there are many courses of action from here. Some already underway.

Where to Run When There is No Safe Harbor

The US now finds itself at a crossroads. Of course the European market is essential to the US. Under the safe harbor agreement we enjoyed free flowing business models across the Atlantic. However, also because of safe harbor the NSA likely breached millions of EU netizens’ privacy.

The most direct route forward would be to alter section 702 of FISA and the executive order 12333 signed by President Reagan in 1981. Section 702 and the executive order are what the NSA has used as the legality for its global mass surveillance programs. Danny O’Brien from the Electronic Frontier Foundation (EFF) puts it best when he wrote:

These are the secretive and [overboard] regulations that permit NSA to use PRISM and a raft of other programs to spy on Europe and beyond. Equally important, the United States must revisit the laws, regulations, and institutional processes that allow these programs to fester in the dark, largely unaccountable to the public. It is the failure of these laws to adequately rein in the intelligence services that led to this case, and will lead to many more.

There are also two bills that are already in the works. The first is the Judicial Redress Act which was introduced in March of this year and was authored by the same congressman, Jim Sensenbrenner, who wrote the USA PATRIOT and USA FREEDOM Acts. This act was written in anticipation of the ruling that the CJEU handed down last week. It allows citizens of certain countries- specifically European ones- to see and correct information in their records that may allow for them to be monitored.

The other option is the Consumer Privacy Bill of Rights which was introduced by President Obama in 2012. The draft was finalized and published in February of this year. If this bill makes it into law it will provide many of the same safeguards that the the EU Data Protection Directive ensures for its citizens.

If something is not done on the United States’ side of things then the consequences may be disastrous for US companies. Not only do top tech giants like Facebook, Google, and Microsoft rely on the safe harbor agreement but so do 4,500 other companies– not even all in the technology industry. With the new ruling each company may find itself in a tangled web of data privacy laws.

The lapsing of the safe harbor agreement forces all these companies to comply with every privacy law in each of the 28 member states of the EU. In some countries, allowance of data transfer to the US may be outright suspended. This will undoubtedly cost the US not only business but also money in order to implement changes and protocols to comply with over 20 different nations.

Although all privacy advocates would love to see major reform done on the aforementioned section 702 and executive order 12333; achieving greater consumer safeguards when online is also a valuable goal. Realistically, it is unlikely that anything to these two issues will change. It’s much more likely that one of the two bills already introduced will get pushed through into law.